Modern safety critical systems comprised of multiple virtual platforms require certification at all levels.
Use Case Focus
- Company: Airbus
- Sector: Commercial
- Market Segment: Avionics
- Subsegment: Safe and Secure Virtualization
- Hardware: x86 and PowerPC
- Software: PikeOS, POSIX®
“Our next generation aircraft include virtualized subsystems with platforms ranging from POSIX® to Linux. These subsystems must have the independent integrity necessary to ensure certifiable operation of each component. This capability is provided by PikeOS Safe and Secure Virtualization.”
- Efficiency and Stability: Consolidate multiple subsystems onto a single hardware platform.
- Trusted Operations: Protect memory and device resources between subsystems with strict spatial partitioning.
- Safe Real-Time Operations: Provide deterministic timing behavior with temporal partitioning.
- Certifiability: Build applications on top of a certifiable microkernel core.
- Multi-Level Operation: Permit independent levels of certifiability for each partition.
Safety-critical application programs come in various levels of both functional complexity and criticality. Increasingly, there is a desire to consolidate disparate applications on a single hardware architecture for the benefit of efficiency, stability, and ease of maintenance. If several programs having different criticality levels are to coexist in one machine, the underlying OS must ensure that they remain strictly independent and therefore are capable of achieving safety certification independently. PikeOS combines resource partitioning and virtualization to make coexistent applications certifiable independently and at different criticality levels.
Each guest operating system virtual machine (VM) has its own, separate set of resources, and programs hosted by one VM are independent of those hosted by another. This allows for legacy programs such as Linux applications to coexist with safety-critical programs in one machine. Unlike other popular virtualization systems, PikeOS was purpose designed for embedded control systems, therefore it features not only separation of spatial resources, but also strictly separates temporal resources of its client OSes. This allows hard real-time systems to be virtualized, while still retaining their timing properties. This separation of resources is established by a minimal amount of trusted code, so the system is well suited for safety-critical projects requiring certification in accordance with the prevailing standards for software safety.
One example of resource partitioning and virtualization in safety critical systems is the use of PikeOS by Airbus for the Integrated Modular Avionics (IMA) design for their next generation aircraft. Airbus is using PikeOS for certified equipment to be deployed on the A350 XWB aircraft.
Among the many requirements related to this new IMA Airbus architecture, the following were particularly important:
- a multi-partitioned system that provides POSIX® as one of the main requirements
- the ability to develop certifiably safe software while also allowing high flexibility including the reuse of existing code
- the possibility to easily build upon the existing technology to provide a secure storage device and network connection access
- a flexible platform that allows interactive display functionality
The two key aspects of PikeOS architecture that enable mixed certification platforms are resource partitioning and virtualization. PikeOS partitions resources both spatially and temporally. Spatial partitioning provides separate resource pools for user memory and kernel memory. Temporal partitioning ensures deterministic access of a program to processor time. Strict partitioning is what enables each application to have its own level of criticality and certifiability, without impact from other partitions.
In addition to resource partitioning, PikeOS provides virtualization, enabling each partition to host its own operating system. PikeOS implements paravirtualization, the highest performing virtualization approach. Paravirtualization uses an interface that is similar, but not identical to the underlying hardwarem allowing a simpler and more efficient virtual machine than other approaches. Paravirtualized operating systems are explicitly ported to run on top of the PikeOS hypervisor, such that most operations a passed through for direct hardware execution. At the user software level, applications do not require any special adaptation to run on the virtualized operating system compared to a native version of the operating system.
PikeOS supports many types of guest operating systems and programming interfaces, including: Linus, real-time Posix, ARINC-653, OSEK OS, iTRON, SoftPLC, Ada, and real-time Java. Each partition can contain a different operating environment, each of which can be certified independently according to prevailing certification standards. For example, an Ada partition might be certified to DO-178B Level A, a real-time POSIX® or Linux partition to Level C.